Generic Certificateless Key Encapsulation ... - Semantic Scholar

Generic Certificateless Key Encapsulation Mechanism? Qiong Huang and Duncan S. Wong Department of Computer Science, City University of Hong Kong, Hong Kong, China {csqhuang, duncan}@cityu.edu.hk

Abstract. We propose the first generic construction of certificateless key encapsulation mechanism (CL-KEM) in the standard model, which is also secure against malicious-but-passive KGC attacks. It is based on an ID-based KEM, a public key encryption and a message authentication code. The high efficiency of our construction is due to the efficient implementations of these underlying building blocks, and is comparable to Bentahar et al.’s CL-KEMs, which are only proven secure under the random oracle model with no consideration of the malicious-but-passive KGC attacks. The second contribution of our work is that we introduce the notion of certificateless tag-based KEM (CL-TKEM), which is an extension of Abe et al.’s work in the certificateless setting. We show that an efficient CL-TKEM can be constructed by modifying our CL-KEM. We also show that with a CL-TKEM and a data encapsulation mechanism (DEM) secure under our proposed notions, an efficient hybrid certificateless encryption can be constructed by applying Abe et al.’s transformation in the certificateless setting.

1

Introduction

In Asiacrypt 2003, Al-Riyami and Paterson introduced the concept of certificateless cryptography [ARP03], which aims to solve the inherent key escrow problem of identity-based cryptography [Sha84]. Compared with identity-based cryptography, certificateless cryptography requires less extent of users’ trust in the KGC (Key Generation Center). Besides a unique identity ID, a user also independently generates a key pair (upkID , uskID ). The complete public key of the user will consist of both ID and upkID , and the corresponding private key will consist of uskID and a partial key pskID , which is generated by the KGC according to the value of ID. To encrypt a message, both ID and upkID are used; to decrypt a ciphertext, both uskID and pskID are required. Without any of these two keys, decryption cannot be performed properly. Since the introduction of certificateless cryptography, there have been quite a number of schemes proposed [YL04b,HSMZ05,LQ06,HWZD06,ACL+ ,LAS]. The original definition of certificateless cryptography [ARP03] has seven algorithms, which were later simplified to five algorithms by Hu et al. in [HWZD06] and shown to be more versatile than the original one. In this paper, we also use the five-algorithm variant to define a certificateless cryptosystem. Yum and Lee proposed a generic certificateless encryption scheme in [YL04a] which has later been shown to be insecure under the model of [ARP03] by Libert and Quisquater [LQ06]. In [LQ06], the authors also proposed a generic certificateless encryption scheme. However, their scheme is only proven secure in the random oracle model, which is a heuristic method for showing the security of cryptographic schemes. The security may not preserve when the random oracle ?

The authors are supported by a grant from CityU (Project No. 7001959). An abstracted version of this paper appears in [HW07].

2

Qiong Huang and Duncan S. Wong

is replaced by a hash function, even if the scheme is reduced to some complexity (or numbertheoretic) assumption. Recently, Liu et al. [LAS] proposed a certificateless encryption scheme which, to the best of our knowledge, is the first one in the standard model. In [ACL+ ], Au et al. considered another strong security model for certificateless cryptography, in which users’ trust in the KGC is further relaxed. By using the term introduced in [ACL+ ], the KGC of a certificateless cryptosystem can be malicious-but-passive. This means the KGC can be malicious so that it may not follow the scheme specification for generating system parameters and master key, while it does not actively replace a user’s public key or corrupt the user’s secret key. The purpose of such a malicious-but-passive KGC is to compromise a user’s secret key without being detected. Since the KGC does not need to replace the user’s public key or compromise the user’s machine for corrupting the user’s secret key, in practice, it is very difficult to detect the occurrence of this attack. Under the malicious-but-passive KGC attacking model, certificateless cryptosystems proposed in [ARP03,HSMZ05,LCS05] have been shown to be insecure. We can see that the newly proposed certificateless encryption scheme in [LAS] is also insecure under this model. The only provably secure certificateless encryption scheme against malicious-but-passive KGC attack currently available is due to Libert and Quisquater [LQ06], as showed in [ACL+ ]. However, the security is only proven in the random oracle model. On the other side, most of the (public key) encryption schemes in the literature have limited message spaces. That is, a message to be encrypted is assumed to have a limited length or belong to a specific group. However, this is often not the case in practice. It is inconvenient and expensive for people to transmit arbitrary messages securely by using purely public key encryption schemes. To encrypt large messages, symmetric encryption schemes are usually used as they enjoy high efficiency. However, they also suffer from the key distribution problem. To achieve high efficiency while getting rid of key distribution problem, in practice, we adopt the hybrid encryption [CS03,Sho04] mechanism, which encrypts bulk messages using a symmetric encryption scheme and encrypts a symmetric key using a public key encryption scheme. A hybrid encryption consists of two components: key encapsulation mechanism (KEM, which is the asymmetric part) and data encapsulation mechanism (DEM, which is the symmetric part). KEM encrypts the symmetric encryption key while DEM encrypts the actual message. The KEM/DEM framework was first formalized by Shoup in [Sho00]. It is very attractive and has been received a lot of attention in recent years [AGKS05,CS03,Den03,Sho00,Sho04,CCMLS06,BFMLS05,ACIK07]. To achieve the CCA2 security of the hybrid encryption, it is very natural and reasonable for us to require both the KEM part and DEM part to be CCA2 secure. However, Kurosawa and Desmedt’s hybrid encryption scheme [KD04] is an exception. Their scheme, which is a variant of Cramer and Shoup’s scheme [CS03], has the encryption scheme being CCA2 secure, but the KEM part is not [HHK05]. Dent proposed a number of efficient constructions of CCA2 secure KEMs based on some weakly secure public key encryption schemes. Bentahar et al’s [BFMLS05] extended Dent’s work into identity-based setting and certificateless setting, and also proposed several efficient constructions of ID-based KEMs and certificateless KEMs. Later, Chen et al. [CCMLS06] considered KEM/DEM framework for ID-based encryption and proposed an efficient construction of ID-based KEM, which is based on Sakai et al.’s key construction [SK03]. However, both Dent’s schemes and Bentahar et al.’s schemes are only proven in the random oracle model. Besides, the security of Bentahar et al’s certificateless KEM schemes does not consider the malicious-but-passive KGC attack. Kiltz and Galindo [KG06] proposed a

Generic Certificateless Key Encapsulation Mechanism

3

direct construction of IB-KEM without random oracles, based on Waters’ IBE scheme [Wat05]. Recently, Abe et al. [ACIK07] showed how to transform weakly secure (i.e., selective-ID CPA, or adaptive-ID CPA) identity-based KEMs to fully secure public key encryption schemes. But their transformation only applies to a specific class of IB-KEMs, named partitioned IB-KEM. An IB-KEM is partitioned if the encapsulated key K and the first part c1 of the ciphertext does not depend on ID, and given c1 and ID, the second part of the ciphertext c2 is uniquely determined. (Tag-KEM.) Abe et al. introduced in [AGKS05] a strengthened variant of KEM, called TagKEM, which is essentially a KEM but with a tag. It can be viewed as an analogue of tag-based public key encryption [Sho04,SG02,MRY04,Kil06]. Several methods for constructing Tag-KEMs were given in [AGKS05]. Interestingly, they also showed that a one-time secure DEM is enough for transforming a CCA2 secure Tag-KEM to a CCA2 secure public key encryption. This is one of the most useful applications of Tag-KEM. Our Work. We propose the first generic construction of certificateless key encapsulation mechanism (CL-KEM) in the standard model, which is also secure against malicious-but-passive KGC attacks. The construction is based on an ID-based KEM IB-KEM, a public key encryption PKE and a message authentication code MAC. The high efficiency of our construction is due to the efficient implementations of these underlying building blocks, and is comparable to Bentahar et al.’s CL-KEMs [BFMLS05], which are only proven secure under the random oracle model with no consideration of the malicious-but-passive KGC attacks. The idea of constructing a CL-KEM is as follows: first IB-KEM is invoked to generate a key K along with its encapsulation; then PKE is invoked to hide the encapsulation; at last, the final symmetric encryption key dk and a message authentication key mk are generated from K, where mk is used by MAC for ensuring the integrity of the ciphertext. The second contribution of our work is that we introduce the notion of certificateless tagbased KEM (CL-TKEM), which is an extension of Abe et al.’s work [AGKS05] from the conventional setting to the certificateless setting. We show that an efficient CL-TKEM can be constructed by modifying our CL-KEM. We also show that with a CL-TKEM and a data encapsulation mechanism (DEM) secure under our proposed notions, an efficient hybrid certificateless encryption can be constructed by applying Abe et al.’s transformation in the certificateless setting. Paper Organization. We review the definition and adversarial model of certificateless encryption in Sec. 2. In Sec. 3, we consider the certificateless KEM (CL-KEM), describe some building blocks for constructing a CL-KEM, and then show how to construct a CL-KEM in the standard model, which is also secure against the malicious-but-passive KGC attack. In Sec. 4, we extend the work of Abe et al. to the certificateless setting and give the construction of CL-TKEM as well as a certificateless hybrid encryption scheme (CL-HE). The paper is concluded in Sec. 5.

2

Definition and Adversarial Model

A certificateless encryption scheme [ARP03,ACL+ ] consists of five (probabilistic) polynomialtime (PPT) algorithms:

4


– MasterKeyGen: On input 1k where k ∈ N is a security parameter, it generates a master public/private key pair (mpk, msk). – PartialKeyGen: On input msk and a user identity ID ∈ {0, 1}∗ , it generates a user partial key pskID . – UserKeyGen: On input mpk and a user identity ID, it generates a user public/private key pair (upkID , uskID ). – Enc: On input mpk, a user identity ID, a user public key upkID and a message m, it returns a ciphertext c. – Dec: On input a user partial key pskID , a user private key uskID , and a ciphertext c, it returns the plaintext m or ⊥ indicating the failure of decryption. In practice, the KGC (Key Generation Center) performs the first two algorithms: MasterKeyGen and PartialKeyGen. The master public key mpk is then published and it is assumed that everyone in the system can get a legitimate copy of mpk. It is also assumed that the partial key is issued to the corresponding user via a secure channel so that no one except the intended user can get it. Every user in the system also performs UserKeyGen for generating its own public/private key pair and publishes the public key. The correctness requirement is defined in the conventional way. We skip the details and refer readers to [ARP03,ACL+ ] for details. Adversarial Model. We consider two security types: Type-I and Type-II, along with two adversaries, A1 and A2 , respectively. Adversary A1 can compromise user private key uskID or replace user public key upkID , but can neither compromise master private key msk nor get access to user partial key pskID . Adversary A2 models a malicious-but-passive KGC [ACL+ ] which controls the generation of the master public/private key pair, and that of any user partial key pskID . The following are five oracles which can be accessed by the adversaries. – CreateUser: On input an identity ID ∈ {0, 1}∗ , if ID has not been created, the oracle runs pskID ← PartialKeyGen(msk, ID) and (upkID , uskID ) ← UserKeyGen(mpk, ID). It then stores (ID, pskID , upkID , uskID ) into List1 and ID is said to be created. upkID is returned. – RevealPartialKey: On input an identity ID, the oracle searches List for an entry corresponding to ID. If it is not found, ⊥ is returned; otherwise, the corresponding pskID is returned. – RevealSecretKey: On input an identity ID, the oracle searches List for the entry of ID. If it is not found, ⊥ is returned; otherwise, the corresponding uskID is returned. – ReplaceKey: On input ID along with a user public/private key pair (upk 0 , usk 0 ), the oracle searches List for the entry of ID. If it is not found, nothing will be carried out. If usk 0 = ⊥, the oracle sets usk 0 = uskID . Then, it replaces (ID, pskID , upkID , uskID ) in List with (ID, pskID , upk 0 , usk 0 ). – Decryption: On input an identity ID and a ciphertext c, the oracle searches List for the entry of ID. If it is not found, ⊥ is returned. Otherwise, it runs m ← Dec(pskID , uskID , c) and returns m. Note that the original upkID (which is returned by CreateUser oracle) may have been replaced by the adversary. Remark : In the original adversarial model of certificateless encryption [ARP03,LQ06], it is required that the Decryption oracle should provide correct decryptions even after the user public 1

Note that the list List is shared among all the oracles.


5

key has been replaced by the adversary while the corresponding user secret key is not known. We believe that the model is hardly realistic. In this paper, we only require the Decryption oracle to perform the decryption task by using the current user keys. This also captures the case that the user public key is replaced by the adversary, but the user secret key remains the same. It is possible that the message m recovered from the ciphertext by using the current uskID is ⊥. We now specify the two security types using the following games. Game-I : Let C1 be the challenger/simulator and k ∈ N be a security parameter. 1. C1 runs (mpk, msk) ← MasterKeyGen(1k ), and then invokes A1 on input 1k and mpk. 2. In the game, A1 can query CreateUser, RevealPartialKey, RevealSecretKey, ReplaceKey and Decryption. 3. A1 submits two equal-length messages (m0 , m1 ) along with a target identity ID∗ . 4. C1 selects a random bit b ∈ {0, 1}, computes a challenge ciphertext c∗ by running c∗ ← Enc(mpk, ID∗ , upkID∗ , mb ), and returns c∗ to A1 , where upkID∗ is the user public key currently in List for ID∗ . 5. A1 continues to issue queries as in step 2. Finally it outputs a bit b0 . A1 is said to win the game if b0 = b, and (1) A1 did not query RevealPartialKey on ID∗ , (2) A1 did not query Decryption on (ID∗ , c∗ ). We denote by P r[A1 Succ] the probability that A1 wins the game, and define the advantage of A1 in Game-I to be AdvA1 = P r[A1 Succ] − 12 . Game-II : Let C2 be the simulator/challenger and k ∈ N be a security parameter. 1. C2 runs A2 on input 1k , which returns a master public key mpk to C2 . 2. A2 can then start querying CreateUser, RevealSecretKey, ReplaceKey and Decryption. Note that oracle RevealPartialKey is no longer needed as A2 may know the master private key msk, or A2 may not follow the specification of MasterKeyGen when generating mpk. Also note that when A2 queries CreateUser, it has to additionally provide the user partial key pskID . 3. A2 submits two equal-length messages (m0 , m1 ) along with a target identity ID∗ . C2 randomly selects a bit b, and computes the challenge ciphertext c∗ by running c∗ ← Enc(mpk, ID∗ , upkID∗ , mb ). It returns c∗ to A2 . 4. A2 continues to issue queries as in step 2. Finally, it outputs a bit b0 . A2 is said to win the game if b0 = b, and (1) A2 did not query RevealSecretKey on ID∗ , (2) A2 did not query ReplaceKey on (ID∗ , ·, ·) to replace upkID∗ , (3) A2 did not query Decryption on (ID∗ , c∗ ). Similarly, we denote by P r[A2 Succ] the probability that A 2 wins the game, and define the advantage of A2 in Game-II to be AdvA2 = P r[A2 Succ] − 21 . Definition 1. A certificateless encryption scheme CLE is said to be Type-I ID-CCA2 secure (resp. Type-II ID-CCA2 secure) if there is no probabilistic polynomial-time adversary A1 (resp. A2 ) which wins Game-I (resp. Game-II) with non-negligible advantage. CLE is said to be ID-CCA2 secure if it is both Type-I ID-CCA2 secure and Type-II ID-CCA2 secure.

6


3

Certificateless KEM

In this section, we first define a certificateless KEM (CL-KEM) and specify its security requirements. Then we describe two of the building blocks used in our CL-KEM construction. The building blocks are a strong one-time unforgeable message authentication code and a key derivation function. Finally, we propose a CL-KEM (Sec. 3.3) and show its security in the standard model. A standard KEM (in the public key setting) is defined by the following three PPT algorithms (KG, Encap, Decap): – KG is a key generation algorithm, which takes 1k as input and outputs a public/private key pair (pk, sk). – Encap is a key encapsulation algorithm, which takes as input pk and outputs an encapsulation key pair (K, e) ∈ Kpk ×Epk , where e is called the encapsulation of key K, and K is considered to be distributed uniformly in the key space Kpk . – Decap is a decapsulation algorithm, which takes as input (sk, e) and outputs the corresponding key K, or an invalid encapsulation symbol ⊥. Now we extend the standard KEM to the certificateless setting, and obtain the definition of a certificateless KEM (CL-KEM). A CL-KEM is defined by the following quintuple of PPT algorithms (MasterKeyGen, PartialKeyGen, UserKeyGen, Encap, Decap): – MasterKeyGen, PartialKeyGen and UserKeyGen are defined in the same way as that for a certificateless encryption scheme (Sec. 2). K × – Encap takes as input (mpk, upkID , ID) and outputs an encapsulation key pair (K, e) ∈ Kmpk,upk ID ,ID Empk,upkID ,ID , where e is called the encapsulation of key K and K is considered to be uniformly K . distributed in Kmpk,upk ID ,ID – Decap takes as input ((pskID , uskID ), ID, e) and outputs the corresponding key K, or a special symbol ⊥ indicating invalid encapsulation. On the security requirements of a CL-KEM scheme, we consider two security types: Type-I and Type-II, as we do for a certificateless encryption scheme (Sec. 2). Similarly, adversaries in the corresponding games will have access to five oracles, CreateUser, RevealPartialKey, RevealSecretKey, ReplaceKey and Decapsulation, where the first four are defined in the same way as that in the security models of a certificateless encryption scheme (Sec. 2), while the last one is defined as follows. Decapsulation: On input an identity ID and an encapsulation e, the oracle searches List for the entry of ID. If it is not found, ⊥ is returned. Otherwise, it returns K ← Decap((pskID , uskID ), ID, e). In the following, we specify two games for Type-I and Type-II security, which are described together as follows: Game-I0 (Game-II0 ) Let k ∈ N be the security parameter, CI and CII be the challengers of Game-I0 and Game-II0 , respectively. Let AI and AII be PPT adversaries playing Game-I0 and Game-II0 , respectively. For simplicity, we use C to denote the challenger and use A to denote the adversary in both Game-I0 and Game-II0 if not specified:


7

1. In Game-I0 , C computes MasterKeyGen(1k ) and runs A on input 1k and mpk; In GameII0 , C runs A on input 1k which then returns mpk. 2. In the game, A can query CreateUser, RevealPartialKey, RevealSecretKey, ReplaceKey and Decapsulation. Note that in Game-II0 , oracle RevealPartialKey is not needed by A because of knowledge of msk. At the end of this stage, A submits a target identity ID∗ ∈ {0, 1}∗ . K 3. C runs (K1 , e∗ ) ← Encap(mpk, upkID∗ , ID∗ ) and randomly selects K0 ← Kmpk,upk ∗. ID∗ ,ID ∗ A coin b is then flipped, and (Kb , e ) is returned to A. 4. A continues to issue queries as in step 2. Finally it outputs a bit b0 . A wins the game if b0 = b and (1) it did not query RevealPartialKey on ID∗ , (2) it did not query Decapsulation on (ID∗ , e∗ ), and (3) if in Game-II0 , it did not query ReplaceKey on ID∗ . We denote by P r[A Succ] the probability that A wins the game and define the advantage of A in 1 the game to be AdvA = P r[A Succ] − 2 . Definition 2. A certificateless key encapsulation mechanism CL-KEM is said to be Type-I IDCCA2 secure (resp. Type-II ID-CCA2 secure) if there is no probabilistic polynomial-time adversary A1 (resp. A2 ) which wins Game-I0 (resp. Game-II0 ) with non-negligible advantage. CL-KEM is said to be ID-CCA2 secure if it is both Type-I ID-CCA2 secure and Type-II ID-CCA2 secure. 3.1

Message Authentication Code

A message authentication code MAC is a pair of polynomial-time algorithms (Mac, Vrfy) such that: – Mac takes as input a key mk ∈ KM and a message m, and outputs a tag σ, where m is in some implicit message space. We denote this by σ ← Macmk (m). Without loss of generality, we assume that the key space KM of MAC is {0, 1}k where k is a security parameter. – Vrfy takes as input a key mk, a message m and a tag σ and outputs a bit b ∈ {0, 1} where the 1-value of b indicates ’accept’ and 0-value indicates ’reject’. We denote this by b ← Vrfymk (m, σ). For the security of MAC, we consider the following game: 1. A random key mk ∈ {0, 1}k is chosen; 2. Adversary AM (1k ) is allowed to submit one message m and get σ ← Macmk (m). 3. Finally, AM outputs (m∗ , σ ∗ ). We say that AM wins if 1 ← Vrfymk (m∗ , σ ∗ ) and (m∗ , σ ∗ ) 6= (m, σ) (assuming that AM did issue a query for a tag on input m in step 2). Definition 3. A message authentication code MAC is said to be strong one-time unforgeable, if for any PPT adversary AM , the probability that AM wins the game above is negligible in k. 3.2

Key Derivation Function (KDF)

As in [AGKS05,CS03], our proposed construction of CL-KEM (Sec. 3.3) also uses a key derivation function, KDF2 , that maps a key K generated by KEM into a pair of keys (dk, mk) for data

8


encapsulation mechanism DEM and message authentication code MAC. We require the output distribution (dk, mk) of KDF2 to be (computationally) indistinguishable from uniform, when the input K is uniformly distributed. Let KDF2 : KK → KD × KM and {KDF2 }k be a family of functions indexed by the key-spaces K associated to the same security parameter k. In our case, KK is the union of all Kmpk,upk . We ID ,ID require that the distribution of KDF2 is indistinguishable from uniform over KD × KM . Formally, let D1 = {(dk, mk) | K ← KK , (dk, mk) ← KDF2 (K)} , and D0 = {(dk, mk) | (dk, mk) ← KD × KM } We say that KDF2 is secure if for any polynomial time algorithm AKDF , the following probability P r b ← {0, 1}, (dk, mk) ← Db , b0 ← AKDF ((mpk, upkID , ID), KDF2 , (dk, mk)); b0 = b − 1 2 is negligible in k, where the probability is taken over the choice of KDF2 which includes the coins of CL-KEM.MasterKeyGen and CL-KEM.UserKeyGen that determine KK , and the choice of (dk, mk), b and the coins of AKDF . In our construction of certificateless KEM, we need to consider the following two distributions: U1 = D1 , and U0 = {(dk, mk) | K ← KK , (dk, ∗) ← KDF2 (K), mk ← KM } It is easy to obtain the following lemma: Lemma 1. If KDF2 is secure, then for any PPT adversary A, |P r [1 ← A(dk, mk) | (dk, mk) ← U0 ] − P r [1 ← A(dk, mk) | (dk, mk) ← U1 ]| is negligible in k. 3.3

A Generic Construction of CL-KEM

Let IB-KEM = (KG, Extract, Encap, Decap) be an ID-CCA2 secure identity-based key encapsulation mechanism [CCMLS06], PKE = (KG, Enc, Dec) be an CCA2 secure public key encryption scheme, KDF2 be a secure key derivation function, and MAC = (Mac, Vrfy) be a strong one-time message authentication code. (Readers can refer to Appendix A for formal definitions of IB-KEM and PKE.) The certificateless KEM CL-KEM is constructed as in Fig. 1. Note that in CL-KEM.Decap, if either of PKE.Dec and IB-KEM.Decap outputs ⊥, ⊥ is returned. For the security of the above construction of CL-KEM, we have the following two theorems: Theorem 1. The CL-KEM proposed above is Type-I ID-CCA2 secure. Theorem 2. The CL-KEM proposed above is Type-II ID-CCA2 secure.


9

– MasterKeyGen: On input 1k , the KGC runs (mpk, msk) ← IB-KEM.KG(1k ) and returns mpk. – PartialKeyGen: On input an identity ID, the KGC runs pskID ← IB-KEM.Extract(msk, ID) and returns pskID . – UserKeyGen: On input 1k and mpk, the user ID runs (upkID , uskID ) ← PKE.KG(1k ), and returns upkID . – (dk, e) ← Encap(mpk, upkID , ID): – dk ← Decap(pskID , uskID , ID, e): (K, ψ) ← IB-KEM.Encap(mpk, ID)

(ϕ, σ) ← e

ϕ ← PKE.Enc(upkID , ψ)

ψ ← PKE.Dec(uskID , ϕ)

(dk, mk) ← KDF2 (K)

K ← IB-KEM.Decap(pskID , ID, ψ)

σ ← MAC.Macmk (ϕ)

(dk, mk) ← KDF2 (K)

e ← (ϕ, σ)

If 0 ← MAC.Vrfymk (σ, ϕ), dk ← ⊥.

Fig. 1. CL-KEM Intuitively, to prove these theorems, we may first modify the attacking game of the adversary in such a way that the key of MAC, mk, is randomly selected at the begining of the game, which cause only negligible difference in the probability that the adversary wins the game. Then Theorem 1 can be proved by the ID-CCA2 security of IB-KEM and the strong one-time unforgeability of MAC, and Theorem 2 can be proved by the CCA2 security of PKE and the strong one-time unforgeability of MAC as well. Readers can refer to Appendix B and C for the detailed proofs of the above two theorems, respectively. From the theorems we immediately get the following corollary: Corollary 1. CL-KEM is an ID-CCA2 secure certificateless KEM scheme. Discussions: For instantiations, we can employ Kiltz-Galindo IB-KEM scheme [KG06] as our IB-KEM. Since any ID-CCA2 secure identity-based encryption is trivially an ID-CCA2 secure IDbased KEM, it is optional for us to instantiate IB-KEM with such an IBE scheme, such as the schemes in [Gen06]. As for PKE, we can instantiate it with Cramer and Shoup’s scheme [CS98] or Kurosawa and Desmedt’s scheme [KD04]. Besides these two, there are still many efficient public key encryption schemes for us to choose. There are a number of efficient strong one-time message authentication code in the literature. For our case, we may use CBC-MAC with 128-bit AES as the underlying block cipher. However, it is still a good choice for us to use strong one-time MACs with information-theoretic security [Sti94,WC81].

4

Hybrid Certificateless Encryption

In this section we show how to construct a hybrid certificateless encryption scheme to encrypt messages of unbounded length, by using the certificateless KEM CL-KEM and a DEM scheme. (Readers can refer to Appendix A for a formal definition of DEM.) We show that this can be achieved by extending the idea of Abe et al. [AGKS05] to our certificateless setting. In short, their result shows that a combination of a strengthened variant of (CCA2 secure) KEM, TagKEM, and a one-time DEM leads to a CCA2 hybrid public key encryption. We show a similar result detailed below but under the certificateless setting.

10

4.1


Our Certificateless Tag-KEM (CL-TKEM)

Essentially, a Tag-KEM is a KEM with a tag. The Encap algorithm of a KEM is splitted into two in a Tag-KEM, Key and Encap. KG remains the same in a Tag-KEM and Decap is modified to take a tag as an additional input. Similar to the extension from KEM to Tag-KEM in the public key setting in [AGKS05], we now extend CL-KEM to certificateless Tag-KEM (CL-TKEM): – MasterKeyGen, PartialKeyGen, UserKeyGen are the same as those of a CL-KEM. – Key takes as input mpk, ID and upkID , and outputs a key dk and some internal state information w. We denote it by (dk, w) ← Key(mpk, ID, upkID ). – Encap takes as input w and a tag τ ∈ {0, 1}∗ , and outputs the corresponding encapsulation e. We denote it by e ← Encap(w, τ ). – Decap takes as input pskID , uskID , ID, a tag τ and a purported encapsulation e, and outputs the corresponding key dk, or a special symbol ⊥ indicating invalid encapsulation. We denote it by dk ← Decap(pskID , uskID , ID, τ, e). Analogously, we can define the security of CL-TKEM. In a CL-TKEM, an adversary has access to the same five oracles as in a CL-KEM, with the only exception that the Decapsulation oracle has a tag τ as an additional input. The security of a CL-TKEM requires the adversary could not distinguish whether a given dk is the one embeded in the encapsulation or not, with adaptive access to these oracles. We also consider two types of security of a CL-TKEM, and described the two games together as follows: Game-I00 (Game-II00 ) : Let k ∈ N be the security parameter, CI and CII be the challengers of Game-I00 and Game-II00 , respectively. Let AI and AII be PPT adversaries playing Game-I00 and Game-II00 , respectively. For simplicity, we use C to denote the challenger and use A to denote the adversary in both Game-I00 and Game-II00 if not specified: 1. In Game-I00 , C computes MasterKeyGen(1k ) and runs A on input 1k and mpk; In GameII00 , C runs A on input 1k which then returns mpk. 2. A could adaptively issue queries to oracles CreateUser, RevealPartialKey, RevealSecretKey, ReplaceKey and Decapsulation. Note that in Game-II00 , RevealPartialKey is not needed since the adversary has the knowledge of msk. 3. A submits a target identity ID∗ to C, which then computes (dk1 , w) ← Key(mpk, upkID∗ , ID), randomly selects dk0 ← KD , flips a coin b ∈ {0, 1} and returns dkb back to A. 4. A continues to issue queries to its oracles. At some point it submits a target tag τ ∗ to C, which then computes e∗ ← Encap(w, τ ∗ ) and returns e∗ back to A. 5. A continues to issue queries again. 6. Finally A outputs a bit b0 as its guess for whether e∗ is an encapsulation of dkb . A is said to win the game if b0 = b and (1) it did not issue a RevealPartialKey query on ID∗ , (2) it did not a Decapsulation query on (ID∗ , τ ∗ , e∗ ), and (3) if in Game-II00 , it did not issue a ReplaceKey query on (ID∗ , ·, ·) to replace upkID∗ . We denote by P r[A Succ] the probability that A wins the game and define the advantage of A to be AdvA = P r[A Succ] − 12 . Definition 4. A certificateless Tag-KEM CL-TKEM is said to be Type-I Tag-ID-CCA2 secure (resp. Type-II Tag-ID-CCA2 secure) if there is no PPT adversary AI (resp. AII ) which wins Game-I00 (resp. Game-II00 ) with non-negligible advantage. CL-TKEM is said to be Tag-ID-CCA2 secure if it is both Type-I Tag-ID-CCA2 secure and Type-II Tag-ID-CCA2 secure.


11

Now we show how to modify the above construction of CL-KEM to a certificateless Tag-KEM CL-TKEM, as in Fig. 2. – MasterKeyGen, PartialKeyGen and UserKeyGen are the same as those of CL-KEM. – (dk, w) ← Key(mpk, upkID , ID): (K, ψ) ← IB-KEM.Encap(mpk, ID) (dk, mk) ← KDF2 (K) w ← (upkID , mk, ψ) – dk ← Decap(pskID , uskID , ID, τ, e):

– e ← Encap(w, τ ): (upkID , mk, ψ) ← w

(ϕ, σ) ← e

ϕ ← PKE.Enc(upkID , ψ)

ψ ← PKE.Dec(uskID , ϕ)

σ ← MAC.Macmk (ϕkτ )

K ← IB-KEM.Decap(pskID , ID, ψ)

e ← (ϕ, σ)

(dk, mk) ← KDF2 (K) If 0 ← MAC.Vrfymk (σ, ϕkτ ), dk ← ⊥.

Fig. 2. CL-TKEM

As we can see from the above construction, CL-TKEM differs from CL-KEM in the generation of σ, and the tag τ merely appears in the MAC during the generation of an encapsulation. By the ID-CCA2 security of CL-KEM and the strong one-time unforgeability of MAC, the adversary would not gain any advantage by manipulating (ϕ, σ). Thus, we have the following theorem: Theorem 3. CL-TKEM is a Tag-ID-CCA2 secure certificateless Tag-KEM. The security proof is similar to that of Theorem 1 and 2, so we omit it here. Discussion: The construction of Tag-KEM in [AGKS05] combines a KEM and a message authentication code MAC. Since a MAC is already used in our construction of CL-KEM, there is no need for us to add a new MAC into the construction of CL-TKEM as in [AGKS05]. Thus, our construction of CL-TKEM is essentially the same as that of CL-KEM, with only a difference in the generation of σ. The computation cost of CL-TKEM is merely slightly more than that of CL-KEM, due to the larger input to MAC. 4.2

Our Hybrid Certificateless Encryption

As shown in [AGKS05], a one-time secure data encapsulation mechanism DEM is enough for constructing a CCA2 public key encryption scheme, by integrating with a CCA2 secure TagKEM. Roughly speaking, at first a symmetric key is generated, and the message is encrypted under DEM by using this key, then the resulting symmetric ciphertext is used as a tag to encrypt the key under the Tag-KEM. Based on this idea, we can also construct a hybrid certificateless encryption scheme CL-HE from a certificateless Tag-KEM CL-TKEM and a DEM. The scheme is described as in Fig. 3. Analogously to Theorem 3.1 in [AGKS05], we have the following theorem:

12

Qiong Huang and Duncan S. Wong – MasterKeyGen, PartialKeyGen and UserKeyGen are the same as those of CL-TKEM. – c ← Enc(mpk, upkID , ID, m): – m ← Dec(pskID , uskID , ID, c): (w, dk) ← CL-TKEM.Key(mpk, ID)

(e, χ) ← c

χ ← DEM.Encdk (m)

dk ← CL-TKEM.Decap(pskID , uskID , ID, χ, e)

e ← CL-TKEM.Encap(w, χ)

m ← DEM.Decdk (χ)

c ← (e, χ)

If dk = ⊥, ⊥ is returned.

Fig. 3. CL-HE Theorem 4. The hybrid certificateless encryption scheme CL-HE proposed above is ID-CCA2 secure, provided that the underlying certificateless Tag KEM CL-TKEM is Tag-ID-CCA2 secure and DEM is one-time secure. This theorem comes immediately from the following two lemmas: Lemma 2. CL-HE is Type-I ID-CCA2 secure, provided that CL-TKEM is Type-I Tag-ID-CCA2 secure and DEM is one-time secure. Lemma 3. CL-HE is Type-II ID-CCA2 secure, provided that CL-TKEM is Type-II Tag-ID-CCA2 secure and DEM is one-time secure. The proofs of these two lemmas are similar to that in [AGKS05]. Readers can refer to Appendix D for the proofs.

5

Conclusion

We proposed the first generic construction of CL-KEM in the standard model, which is also secure against malicious-but-passive KGC attacks. Our construction can be instantiated efficiently and is comparable to Bentahar et al.’s CL-KEMs [BFMLS05], which have only been proven secure under the random oracle model with no consideration of the malicious-but-passive KGC attacks. We also introduced notion of certificateless tag-based KEM (CL-TKEM), which is an extension of Abe et al.’s work [AGKS05] from the standard setting to the certificateless setting. We showed that an efficient CL-TKEM can be constructed by modifying our CL-KEM. We also showed that with a CL-TKEM and a data encapsulation mechanism (DEM) secure under our proposed notions, an efficient hybrid certificateless encryption can be constructed by applying Abe et al.’s transformation in the certificateless setting.

References ACIK07.

ACL+ .

Masayuki Abe, Yang Cui, Hideki Imai, and Eike Kiltz. Efficient hybrid encryption from ID-based encryption. Cryptology ePrint Archive, Report 2007/023, 2007. http://eprint.iacr.org/2007/023. (Cited on pages 2 and 3.) Man Ho Au, Jing Chen, Joseph K. Liu, Yi Mu, Duncan S. Wong, and Guomin Yang. Malicious KGC attacks in certificateless cryptography. To appear in ACM ASIACCS 2007, also at http: //eprint.iacr.org/2006/255. (Cited on pages 1, 2, 3, and 4.)

Generic Certificateless Key Encapsulation Mechanism AGKS05.

13

M. Abe, R. Gennaro, K. Kurosawa, and V. Shoup. Tag-KEM/DEM: A new framework for hybrid encryption and a new analysis of Kurosawa-Desmedt KEM. In Proc. of EUROCRYPT 2005, volume 3494 of Lecture Notes in Computer Science, pages 128–146. Springer-Verlag, 2005. Full paper can be found at http://eprint.iacr.org/2005/027. (Cited on pages 2, 3, 7, 9, 10, 11, and 12.) ARP03. S. S. Al-Riyami and K. G. Paterson. Certificateless public key cryptography. In Proc. of ASIACRYPT 2003, volume 2894 of Lecture Notes in Computer Science, pages 452–473. Springer-Verlag, 2003. (Cited on pages 1, 2, 3, and 4.) BFMLS05. K. Bentahar, P. Farshim, J. Malone-Lee, and N.P. Smart. Generic constructions of identity-based and certificateless KEMs. Cryptology ePrint Archive, Report 2005/058, 2005. http://eprint.iacr. org/2005/012. Also to appear in Journal of Cryptology. (Cited on pages 2, 3, and 12.) CCMLS06. L. Chen, Z. Cheng, J. Malone-Lee, and N. Smart. Efficient ID-KEM based on the Sakai-Kasahara key construction. IEE Proceedings - Information Security, 153(1):19–26, March 2006. (Cited on pages 2, 8, and 15.) CS98. Ronald Cramer and Victor Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In Proc. of CRYPTO 98, volume 1462 of Lecture Notes in Computer Science, pages 13–25. Springer-Verlag, 1998. (Cited on page 9.) CS03. R. Cramer and V. Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Computing, 33(1):167–226, 2003. (Cited on pages 2 and 7.) Den03. A. Dent. A designer’s guide to kems. In Cryptography and Codings, volume 2898 of Lecture Notes in Computer Science, pages 133–151. Springer-Verlag, 2003. (Cited on page 2.) Gen06. Craig Gentry. Practical identity-based encryption without random oracles. In Serge Vaudenay, editor, Proc. of EUROCRYPT 2006, volume 4004 of Lecture Notes in Computer Science, pages 445–464. Springer-Verlag, 2006. (Cited on page 9.) HHK05. J. Herranz, D. Hofheinz, and E. Kiltz. The Kurosawa-Desmedt key encapsulation is not chosenciphertext secure. Cryptology ePrint Archive, Report 2005/207, 2005. http://eprint.iacr.org/ 2005/207. (Cited on page 2.) HSMZ05. X. Huang, W. Susilo, Y. Mu, and F. Zhang. On the security of certificateless signature schemes from Asiacrypt 2003. In Cryptology and Network Security, 4th International Conference, CANS 2005, volume 3810 of Lecture Notes in Computer Science, pages 13–25. Springer-Verlag, 2005. (Cited on pages 1 and 2.) HW07. Qiong Huang and Duncan S. Wong. Generic certificateless key encapsulation mechanism. In Josef Pieprzyk, Hossein Ghodosi, and Ed Dawson, editors, Proc. of Information Security and Privacy: 12th Australasian Conference, ACISP 2007, volume 4586 of Lecture Notes in Computer Science, pages 215–229. Springer-Verlag, 2007. (Cited on page 1.) HWZD06. Bessie C. Hu, Duncan S. Wong, Zhenfeng Zhang, and Xiaotie Deng. Key replacement attack against a generic construction of certificateless signature. In Proc. of Information Security and Privacy: 11th Australasian Conference, ACISP 2006, pages 235–246. Springer-Verlag, 2006. Lecture Notes in Computer Science vol. 4058. (Cited on page 1.) KD04. K. Kurosawa and Y. Desmedt. A new paradigm of hybrid encryption scheme. In M. Franklin, editor, Proc. of CRYPTO 2004, volume 3152 of Lecture Notes in Computer Science, pages 426–442. Springer-Verlag, 2004. (Cited on pages 2 and 9.) KG06. Eike Kiltz and David Galindo. Direct chosen-ciphertext secure identity-based key encapsulation without random oracles. In Lynn Batten and Reihaneh Safavi-Naini, editors, Proc. of Information Security and Privacy: 11th Australasian Conference, ACISP 2006, volume 4058 of Lecture Notes in Computer Science, pages 336–347. Springer-Verlag, 2006. (Cited on pages 2 and 9.) Kil06. Eike Kiltz. Chosen-ciphertext security from tag-based encryption. In S. Halevi and T. Rabin, editors, Proc. of Theory of Crypgraphy - TCC 2006, volume 3876 of Lecture Notes in Computer Science, pages 581–600. Springer-Verlag, 2006. (Cited on page 3.) LAS. Joseph K. Liu, Man Ho Au, and Willy Susilo. Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model. To appear in ACM ASIACCS 2007. Full paper: http://eprint.iacr.org/2006/373. (Cited on pages 1 and 2.) LCS05. X. Li, K. Chen, and L. Sun. Certificateless signature and proxy signature schemes from bilinear pairings. Lithuanian Mathematical Journal, 45(1):76–83, 2005. (Cited on page 2.)

14


LQ06.

MRY04.

SG02. Sha84. Sho00.

Sho04. SK03. Sti94. Wat05.

WC81. YL04a. YL04b.

A A.1

B. Libert and J.-J. Quisquater. On constructing certificateless cryptosystems from identity based encryption. In 9th International Conference on Theory and Practice in Public Key Cryptography, PKC 2006, volume 3958 of Lecture Notes in Computer Science, pages 474–490. Springer-Verlag, 2006. (Cited on pages 1, 2, and 4.) P. MacKenzie, M. K. Reiter, and Ke Yang. Alternatives to non-malleability: Definitions, constructions, and applications. In M. Naor, editor, Proc. of Theory of Crypgraphy - TCC 2004, volume 2951 of Lecture Notes in Computer Science, pages 171–190. Springer-Verlag, 2004. (Cited on page 3.) V. Shoup and R. Gennaro. Secure threshold cryptosystems against chosen ciphertext attack. Journal of Cryptology, 15(2):75–96, 2002. (Cited on page 3.) A. Shamir. Identity-based cryptosystems and signature schemes. In Proc. of CRYPTO 84, volume 196 of Lecture Notes in Computer Science, pages 47–53. Springer-Verlag, 1984. (Cited on page 1.) V. Shoup. Using hash functions as a hedge against chosen ciphertext attack. In Proc. of EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 275–288. Springer-Verlag, 2000. (Cited on page 2.) Victor Shoup. ISO 18033-2: an emerging standard for public-key encryption (committee draft), June 2004. Available at http://shoup.net/iso/. (Cited on pages 2 and 3.) R. Sakai and M. Kasahara. Id based cryptosystems with pairing on elliptic curve. Cryptology ePrint Archive, Report 2003/054, 2003. http://eprint.iacr.org/2003/054. (Cited on page 2.) D. R. Stinson. Universal hashing and authentication codes. Designs, Codes, and Cryptography, 4(4):369–380, 1994. (Cited on page 9.) B. Waters. Efficient identity-based encryption without random oracles. In Ronald Cramer, editor, Proc. of EUROCRYPT 2005, volume 3494 of Lecture Notes in Computer Science, pages 114–127. Springer-Verlag, 2005. (Cited on page 3.) M. N. Wegman and J. L. Carter. New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences, 22(3):265–279, 1981. (Cited on page 9.) D. H. Yum and P. J. Lee. Generic construction of certificateless encryption. In ICCSA 2004, volume 3043 of Lecture Notes in Computer Science, pages 802–811. Springer-Verlag, 2004. (Cited on page 1.) D. H. Yum and P. J. Lee. Generic construction of certificateless signature. In Proc. of Information Security and Privacy: 9th Australasian Conference, ACISP 2004, volume 3108 of Lecture Notes in Computer Science, pages 200–211. Springer-Verlag, 2004. (Cited on page 1.)

Revisions of Definitions Public Key Encryption

A public key encryption scheme consists of three (probabilistic) polynomial-time algorithms, KG, Enc and Dec, which are for key generation, encrypting a message and decrypting a ciphertext, respectively. The standard notion of security of a public key encryption scheme is CCA2, which is defined by the following game between a challenger and a PPT adversary A: 1. The challenger runs KG(1k ) to obtain a public/private key pair (pk, sk), and sends pk to A. 2. A requests to decrypt a ciphertext ϕ of its choice, under the public key pk, and is returned m ← Dec(sk, ϕ). This process can be repeated for polynomially many times. 3. A submits two equal-length messages, (m0 , m1 ) to the challenger, which then selects a bit b ∈ {0, 1} at random, computes ϕ∗ ← Enc(pk, mb ), and returns ϕ∗ to A. 4. A continues to request to decrypt ciphertexts of its choice. 5. Finally, A outputs a bit b0 . We say A wins the game if b0 = b, and A didn’t request to decrypt ϕ∗ . We denote by P r[A Succ] the A wins the game, and define A’s advantage in the game to be AdvA = probability1 that P r[A Succ] − . 2


15

Definition 5. A public key encryption scheme PKE is CCA2 secure if for each PPT adversary, its advantage in the game above is negligible. A.2

Identity-Based Key Encapsulation Mechanism (IB-KEM)

An identity-based KEM scheme IB-KEM [CCMLS06] consists of a quadruple of (probabilistic) polynomial-time algorithms (KG, Extract, Encap, Decap). – KG takes as input 1k and outputs a public/private key pair (mpk, msk). – Extract takes as input msk and an identity ID ∈ {0, 1}∗ , and outputs the corresponding secret key skID . – Encap takes as input mpk and an identity ID, and outputs an encapsulation key pair (K, ψ) ∈ K × Empk,ID . ψ is called an encapsulation of K and K is considered to be uniformly Kmpk,ID K . distributed in Kmpk,ID – Decap takes as input (skID , ID, ψ) and outputs the corresponding key K or a special symbol ⊥ indicating invalid encapsulation. The security of IB-KEM is defined by the following game played between an adversary A and a challenger C: 1. C runs (mpk, msk) ← KG(1k ) and then runs A on input (1k , mpk). 2. In this game A could issue two kinds oracle queries as below: – Extract: A submits an identity ID and is returned the corresponding secret key skID . – Decap: A submits an identity ID and an encapsulation ψ, and is returned the corresponding key K or ⊥. 3. At some time, A submits a target identity ID∗ ∈ {0, 1}∗ . C then runs (K1 , ψ ∗ ) ← Encap(mpk, ID∗ ) K . A coin b is flipped and (Kb , ψ ∗ ) is returned to A. and randomly selects K0 ← Kmpk,ID 4. A continues to issue queries as in step 2. Finally it outputs a bit b0 as its guess for b. A is said to win the game above if b0 = b and (1) it didn’t issue an Extract on ID∗ ; (2) it didn’t issue a Decap query on (ID∗ , ψ ∗ ). Similarly, we denote the probability that A wins the game by P r[A Succ] and define A’s advantage as AdvA = P r[A Succ] − 12 . Definition 6. An identity-based KEM scheme IB-KEM is said to be ID-CCA2 secure if for each PPT adversary A, its advantage in the game above is negligible in the security parameter k. A.3

Date Encapsulation Mechanism (DEM)

A DEM is a symmetric encryption scheme which consists of two components, DEM.Enc and DEM.Dec associated to a key-space and message space defined by the security parameter k. We simply assume that the key-space KD is {0, 1}k while the message space is {0, 1}∗ . – Enc is an encryption algorithm that encrypts m into ciphertext χ by using symmetric key dk ∈ KD . We denote it by χ ← DEM.Encdk (m). – Dec is a corresponding decryption algorithm that recovers message m from the input ciphertext χ. We denote it by m ← DEM.Decdk (χ).

16


We only requre one-time security for DEM, which is defined by the following game played between a PPT adversary AD and a challenger C: 1. AD runs on input 1k and submits two equal-length messages (m0 , m1 ); 2. C randomly selects a key dk ← KD , flips a coin b ∈ {0, 1}, and computes χ ← DEM.Encdk (mb ). It then returns χ to AD ; 3. AD outputs a bit b0 as its guess for b. AD is said to win the game if b0 = b. The advantage of AD in the game above is defined by 1 0 AdvAD = P r[b = b] − 2 . Definition 7. We say that a DEM is one-time secure, if for each PPT adversary AD , its advantage AdvAD in the game above is negligible in k.

B

Proof of Theorem 1

Proof. Suppose that AI is a PPT adversary. The following is the ID-CCA2 attack lauched by AI against Type-I security of CL-KEM. Let O denote the oracles AI has access to, that include CreateUser, RevealPartialKey, RevealSecretKey, ReplaceKey and Decapsulation. Below we define a series of games G0 , G2 , · · · and denote by Xi the event that b0 = b in game Gi . The following are the descriptions of these games: [G0 ]: This is the original ID-CCA2 attack game. 1. (mpk, msk) ← CL-KEM.MasterKeyGen(1k ); k 2. (ID∗ , st) ← AO I (1 , mpk); ∗ 3. (K1 , ψ ) ← IB-KEM.Encap(mpk, ID∗ ), ϕ∗ ← PKE.Enc(upkID∗ , ψ ∗ ), (dk1 , mk) ← KDF2 (K1 ), σ ∗ ← MAC.Macmk (ϕ∗ ); dk0 ← KD ; b ← {0, 1}; ∗ ∗ ∗ 4. b0 ← AO I (st, (mpk, ID ), (dkb , ϕ , σ )). Note that in step 2 and step 4, AI is restricted to issue some particular queries specified in Game-I0 . [G1 ]: We modify the encapsulation oracle in such a way that in step 3, dk0 is generated by K running K0 ← Kmpk,upk ∗ , (dk0 , ∗) ← KDF2 (K0 ). By the security of KDF2 , we can easily ID∗ ,ID get that |P r[X1 ] − P r[X0 ]| is negligible in k. [G2 ]: We modify the encapsulation oracle again in such a way that in step 3, mk is randomly chosen from KM instead of derived from K1 by using KDF2 . It is straightforward to see that |P r[X2 ] − P r[X1 ]| is also negligible. Since in game G2 , mk is independently selected from its space, we can move it to the beginning of the game without any affect on P r[X2 ]. For clarity, we re-describe game G2 here: 1. (mpk, msk) ← CL-KEM.MasterKeyGen(1k ), mk ← KM ; k 2. (ID∗ , st) ← AO I (1 , mpk); 3. (K1 , ψ ∗ ) ← IB-KEM.Encap(mpk, ID∗ ), ϕ∗ ← PKE.Enc(upkID∗ , ψ ∗ ), (dk1 , ∗) ← KDF2 (K1 ), K σ ∗ ← MAC.Macmk (ϕ∗ ); K0 ← Kmpk,upk ∗ , (dk0 , ∗) ← KDF2 (K0 ); b ← {0, 1}; ID∗ ,ID ∗ 0 O ∗ ∗ 4. b ← AI (st, (mpk, ID ), (dkb , ϕ , σ )).


17

[G3 ]: Let (ID∗ , (dkb , (ϕ∗ , σ ∗ ))) be the challenge encapsulation of AI , and (ID, (ϕ, σ)) be a Decapsulation query issued by it. We say (ϕ, σ) is a valid encapsulation with respect to ID if the Decapsulation oracle would not output ⊥ on input (ID, (ϕ, σ)), and we denote by ForgeI the event that (ϕ, σ) is valid and σ is a valid MAC on ϕ with respect to mk (i.e., 1 ← MAC.Vrfymk (ϕ, σ)). Then we modify G2 in such a way that if event ForgeI occurs, we simply halt the game. Guaranteed by the strong one-time unforgeability of MAC, we have that |P r[X3 ] − P r[X2 ]| is negligible in k. Now suppose that P r[X3 ] − 12 is negligible in k, we can get that P r[X0 ] − 1 ≤ |P r[X0 ] − P r[X1 ]| + |P r[X1 ] − P r[X2 ]| + |P r[X2 ] − P r[X3 ]| + P r[X3 ] − 1 2 2 which is negligible in k as well. Then Theorem 1 is proved. All we left to show is that P r[X3 ] − 12 is negligible, as below: Lemma 4. P r[X3 ] − 21 is negligible in k. Proof (of Lemma 4). We construct a PPT algorithm B to break the ID-CCA2 security of the underlying identity-based KEM scheme IB-KEM. Given mpk, an Extract oracle OE and a Decapsulation oracle OD , B randomly selects mk from its space and then runs AI on input mpk. It is easy for B to simulate oracles CreateUser, RevealPartialKey, RevealSecretKey, ReplaceKey and Decapsulation. Note that when to answer a (distinct) RevealPartialKey query, B needs to issue a query to its oracle OE . At some point AI submits a target identity ID∗ . B forwards ID∗ to its own challenger and is returned (Kb , ψ ∗ ). It then computes ϕ∗ ← PKE.Enc(upkID∗ , ψ ∗ ), σ ∗ ← MAC.Macmk (ϕ∗ ) and (dkb , ∗) ← KDF2 (Kb ). B returns (dkb , (ϕ∗ , σ ∗ )) to AI , and continues to simulate oracles for AI . Note that to answer a Decapsulation query (ID∗ , (ϕ, σ)) issued by AI , B needs to issue a query to its oracle OD . Finally it outputs the bit b0 output by AI as its guess for b. Obviously, B perfectly simulates the oracles for AI in game G3 . Thus, if AI wins game G3 , B also succeeds in guessing the value of b. Hence, the advantage of B is 1 1 0 AdvB = P r[b = b] − = P r[X3 ] − 2 2 Guaranteed by the ID-CCA2 security of IB-KEM, we have that P r[X2 ∧ ForgeI ] + 12 P r[ForgeI ] − 21 is negligible in k. t u This completes the proof of Theorem 1.

C

t u

Proof of Theorem 2

Proof. Suppose that AII is a PPT adversary. The following is the ID-CCA2 attack launched by AII against Type-II security of CL-KEM. Again, we denote by O the oracles AII has access to, that include CreateUser, RevealSecretKey, ReplaceKey and Decapsulation. We define a series of games, Gi , and denote by Xi the event that b0 = b in game Gi .

18


[G0 ]: This is the original ID-CCA2 attack game. 1. (mpk, st1 ) ← AII (1k ); k 2. (ID∗ , st2 ) ← AO II (1 , st1 ); ∗ 3. (K1 , ψ ) ← IB-KEM.Encap(mpk, ID∗ ), ϕ∗ ← PKE.Enc(upkID∗ , ψ ∗ ), (dk1 , mk) ← KDF2 (K1 ), σ ∗ ← MAC.Macmk (ϕ∗ ); dk0 ← KD ; b ← {0, 1}; ∗ ∗ 4. b0 ← AO II (st2 , (dkb , ϕ , σ )). [G1 ]: In step 3, we randomly select mk from its space KM , and move this selection to step 1. Similar to the proof of Theorem 1, we have that |P r[X1 ] − P r[X0 ]| is negligible in k. [G2 ]: Let (ID∗ , (dkb , (ϕ∗ , σ ∗ ))) be the challenge encapsulation of AII , and let (ID, (ϕ, σ)) be a Decapsulation query issued by AII . We denote by ForgeII the event that (ϕ, σ) is valid and σ is a valid MAC on ϕ with respect to mk (i.e., 1 ← MAC.Vrfymk (ϕ, σ)). G1 is modified so that if event ForgeII occurs, we simply halt the game. It is clear that under the strong one-time unforgeability of MAC, AII ’s advantage in game G2 differs from its advantage in game G1 by a negligible amount. [G3 ]: This time we add the following to step 3 of G1 : (ψ ∗ )0 ←R Empk,ID∗ Obliviously, this modification doesn’t impose any affect on the view of AII . Thus, we have P r[X3 ] = P r[X2 ]. [G4 ]: The encryption oracle of G3 is modified in such a way that ϕ∗ is generated as below: ϕ∗ ← PKE.Enc(upkID∗ , (ψ ∗ )0 ) We claim that the following lemma: Lemma 5. Let PKE is the maximum advantage of a PPT adversary against PKE and q is the maximum number of CreateUser queries (which is polynomial in k) issed by AII . Then |P r[X3 ] − P r[X4 ]| ≤ 2q · PKE Guaranteed by the CCA2 security of PKE, we get that |P r[X4 ] − P r[X3 ]| is negligible. For clarity, we describe this game as below: 1. (mpk, st1 ) ← AII (1k ), mk ← KM ; k 2. (ID∗ , st2 ) ← AO II (1 , st1 ); 3. (K1 , ψ ∗ ) ← IB-KEM.Encap(mpk, ID∗ ), (dk1 , ∗) ← KDF2 (K1 ), (ψ ∗ )0 ←R Empk,ID∗ , ϕ∗ ← PKE.Enc(upkID∗ , (ψ ∗ )0 ), σ ∗ ← MAC.Macmk (ϕ∗ ); dk0 ← KD ; b ← {0, 1}; ∗ ∗ 4. b0 ← AO II (st2 , (dkb , (ϕ , σ ))). Note that in game G4 , the challenge encapsulation (ϕ∗ , σ ∗ ) is generated totally independently of dk0 , dk1 , thus the adversary’s advantage in this game would be zero. Hence, we have the following: 1 P r[X0 ] − ≤ |P r[X0 ] − P r[X1 ]| + |P r[[X1 ] − P r[X2 ]| 2 1 + |P r[X2 ] − P r[X3 ]| + |P r[X3 ] − P r[X4 ]| + P r[X4 ] − 2 which is negligible in k as well. We now show Lemma 5, as below:


19

Proof (of Lemma 5). We construct a PPT algorithm D to break the CCA2 security of the underlying public key encryption scheme PKE. Given pk and a decryption oracle OD , D runs AII on input 1k which returns a master public key mpk. It then randomly selects i ∈ {1, 2, · · · , q} and simulates the oracles for AII . There are something we need to note: – To answer the j-th (j 6= i) distinct CreateUser query, D randomly generates a user key pair for IDj and returns the user public key; while to answer the i-th distinct CreateUser query, it sets the user public key of IDi to be pk and returns it to AII . – To answer a Decapsulation query related to IDi , D needs to issue a query to its oracle OD . – If AII issues a RevealSecretKey or ReplaceKey query related to IDi , D aborts and outputs a random bit. At some time, AII submits a target identity ID∗ . If ID∗ 6= IDi , D aborts and outputs a random bit. Otherwise, it computes (K1 , ψ ∗ ) ← IB-KEM.Encap(mpk, ID∗ ), (ψ ∗ )0 ← Empk,ID∗ , sets (ψ0∗ , ψ1∗ ) ← (ψ ∗ , (ψ ∗ )0 ), sends (ψ0∗ , ψ1∗ ) to its own challenger, and is returned ϕ∗ which is an encryption of ψδ∗ , where δ ∈ {0, 1}. D computes (dk1 , ∗) ← KDF2 (K1 ), σ ∗ ← MAC.Macmk (ϕ∗ ), randomly selects dk0 ← KD , flips a coin b and returns (dkb , (ϕ∗ , σ ∗ )) to AII , which then continues to issue oracle queries. Finally, AII outputs a bit b0 . If b0 = b, D outputs δ 0 = 1; otherwise, it outputs δ 0 = 0. Obviously, the probability that D doesn’t abort for the problem with IDi is at least 1/q. On the other hand, suppose that D guesses the correct value of i, if ϕ∗ is an encryption of ψ ∗ , then the view of AII is identical to game G3 ; if ϕ∗ is an encryption of (ψ ∗ )0 , the view of AII is identical to game G4 . That is, P r[b0 = b | δ = 1] = P r[X3 ], and P r[b0 = b | δ = 0] = P r[X4 ]. Thus, we get the following: 1 0 AdvD = P r[δ = δ] − 2 1 1 1 1 0 0 ≥ 1− + P r[δ = 1 ∧ δ = 1] + P r[δ = 0 ∧ δ = 0] − 2 q q 2 1 1 1 1 1 = P r[δ 0 = 1 | δ = 1] + − P r[δ 0 = 1 | δ = 0] − q 2 2 2 2q 1 P r[δ 0 = 1 | δ = 1] − P r[δ 0 = 1 | δ = 0] = 2q 1 = P r[b0 = b | δ = 1] − P r[b0 = b | δ = 0] 2q 1 = |P r[X3 ] − P r[X4 ]| 2q t u This completes the proof of Theorem 2.

D

t u

Proofs of Lemma 2 and Lemma 3

Proof (Sketch). We modify CL-HE.Enc in step 4 of Game-I in such a way that DEM.Enc takes a random key dk 0 instead of the one generated by CL-TKEM.Key. We denote this new game by

20


Game-I∗ , and by X and X ∗ the events that b0 = b in Game-I and Game-I∗ respectively. Now we show that |P r[X] − P r[X ∗ ]| is negligible in k. We construct a PPT adversary ACL-TKEM to break the security of CL-TKEM by using the 1 adversary A1 which is against the Type-I security of CL-HE. Given mpk, ACL-TKEM forwards 1 it to A1 . CreateUser, RevealPartialKey, RevealSecretKey ReplaceKey queries issued by A1 can be answered by ACL-TKEM by forwarding them to its own oracles and backwording the answers to 1 A1 . To answer a Decryption query (e, χ), ACL-TKEM forwards (e, χ) to its Decapsulation oracle, 1 and is returned a symmetric key dk. It then uses dk to decrypt χ under DEM. The recovered message is returned to A1 . If ⊥ is returned from Decapsulation oracle, it is directly forwarded to A1 . After A1 giving the target identity ID∗ and two messages (m0 , m1 ), ACL-TKEM first submits 1 ID∗ to its challenger and is returned dkδ where δ ∈ {0, 1}. It randomly selects b ← {0, 1} and computes χ∗ = DEM.Enc(dkδ , mb ). Then it sends χ∗ to CL-TKEM as a tag and is returned e∗ . Ciphertext (e∗ , χ∗ ) is sent to A1 . Finally, A1 outputs b0 . If b0 = b, ACL-TKEM outputs δ 0 = 1 1 0 indicating dkδ is the real key; other it outputs δ = 0 indicating dkδ is a random key. Observe that the view of A1 is identical to that in Game-I if δ = 1, and that in Game-I∗ if δ = 0. That is, P r[b0 = b|δ = 1] = P r[X] and P r[b0 = b|δ = 0] = P r[X ∗ ]. Thus, we get the following: P r[δ 0 = δ] − 1 = P r[δ 0 = 1 ∧ δ = 1] + P r[δ 0 = 0 ∧ δ = 0] − 1 2 2 1 = P r[δ 0 = 1 | δ = 1] − P r[δ 0 = 1 | δ = 0] 2 1 = P r[b0 = b | δ = 1] − P r[b0 = b | δ = 0] 2 1 = |P r[X] − P r[X ∗ ]| 2 Guaranteed by the Type-I Tag-ID-CCA2 security of CL-TKEM, we have that |P r[X] − P r[X ∗ ]| is negligible in k. To prove Lemma 2, we need to show that P r[X ∗ ] − 12 is also negligible. Note that GameI∗ actually conducts a passive attack to DEM. We construct a PPT adversary ADEM to break the 1 DEM one-time security of DEM by using A1 . A1 generates (mpk, msk) by running CL-HE.MasterKeyGen and runs A1 on input mpk. All the oracles queries issued by A1 can be perfectly answered by ADEM by its knowledge of msk. When A1 submits a target identity ID∗ and two messages 1 (m0 , m1 ), ADEM forwards (m0 , m1 ) to its challenger and is returned a ciphertext χ∗ . Then it 1 ∗ generates e by following CL-TKEM.Key and CL-TKEM.Encap by using χ∗ as a tag, and sends (e∗ , χ∗ ) to A1 . Note that the key chosen by ADEM ’s challenger and the one embedded in e∗ are 1 DEM independently and randomly chosen. Finally, A1 outputs the bit b0 output by A1 . ∗ It’s readily to see that Game-I is perfectly simulated and ADEM wins if A1 wins. There1 ∗ fore, guaranteed by the one-time security of DEM, we get that P r[X ] − 21 is negligible. This completes the proof of Lemma 2. Lemma 3 can be proved as well in a similar way. t u